On demand, Winxor.A scans for open ports in IP addresses that could either belong to a given range, or be random. Then, it checks if those remote computers present the Vulnerability in WINS service, which is critical for Windows 2003/2000/NT servers, and allows to remotely execute arbitrary code.

Winxor.A installs an FTP server in the port 36010, and uses it to transfer itself to remote computers in which the vulnerability can be successfully exploited.

Although the WINS vulnerability can be found in the operating systems specified above, bear in mind that the actions of Winxor.A are not only limited to those, as it can affect Windows 2003/XP/2000/NT/Me/98/95 computers.

If you are the administrator of a Windows 2003/2000/NT server, it is recommendable to download and apply the security patch for the vulnerability in the WINS service. Access the web page for downloading the patch.

Visible Symptoms

Winxor.A is difficult to recognize, as it does not display any messages or warnings that indicate it has reached the computer.